From 121ed7d859dc09459d6309cdcc22a230cf342371 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Fri, 16 Jan 2026 02:10:35 +0000
Subject: [PATCH 1/3] Update
 docs/security/data-masking/access-unmasked-data.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
---
 docs/security/data-masking/access-unmasked-data.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/security/data-masking/access-unmasked-data.mdx b/docs/security/data-masking/access-unmasked-data.mdx
index 28994ffa5..444368a6d 100644
--- a/docs/security/data-masking/access-unmasked-data.mdx
+++ b/docs/security/data-masking/access-unmasked-data.mdx
@@ -11,7 +11,7 @@ Masking precedence: [Masking Exemption](/security/data-masking/access-unmasked-d
 Certain roles can grant masking exemption to the users to access the unmasked data:
 
 - Built-in roles: `Workspace Admin`, `DBA`, `Project Owner`.
-- [Custom roles](/administration/roles): `bb.policies.create`, `bb.policies.update`, `bb.policies.delete`.
+- [Custom roles](/administration/roles): `bb.policies.createMaskingExemptionPolicy`, `bb.policies.updateMaskingExemptionPolicy`, `bb.policies.deleteMaskingExemptionPolicy`.
 
 To grant masking exemption:
 

From 38e3856c8e746dd30a39b66b680ebbb3e172a165 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Fri, 16 Jan 2026 02:10:44 +0000
Subject: [PATCH 2/3] Update docs/security/data-masking/global-masking-rule.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
---
 docs/security/data-masking/global-masking-rule.mdx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/security/data-masking/global-masking-rule.mdx b/docs/security/data-masking/global-masking-rule.mdx
index 79656749d..b4b402e4c 100644
--- a/docs/security/data-masking/global-masking-rule.mdx
+++ b/docs/security/data-masking/global-masking-rule.mdx
@@ -17,7 +17,10 @@ Admins may want to batch apply masking settings globally. e.g.
 Global masking rule along with [Semantic Types](/security/data-masking/semantic-types) allows you to do this. It's similar to the iptables where you configure an ordered
 rule list. The first matching rule will be applied. If no rule matches, no `Semantic Type` will be applied.
 
-`Workspace Admin` and `DBA` can set global masking rules to mask the data.
+Certain roles can set global masking rules to mask the data:
+
+- Built-in roles: `Workspace Admin`, `DBA`.
+- [Custom roles](/administration/roles): `bb.policies.createMaskingRulePolicy`, `bb.policies.updateMaskingRulePolicy`, `bb.policies.deleteMaskingRulePolicy`.
 
 1. Go to **Data Access**>**Global Masking**.
 1. Click **Add**. Click **+Add condition** or **+Add condition group**, set **Semantic Type** and then click **Confirm**.

From fae67ae40f14c37c30f29bd27bf680b9b1f63966 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Fri, 16 Jan 2026 02:10:54 +0000
Subject: [PATCH 3/3] Update docs/administration/roles.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
---
 docs/administration/roles.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/administration/roles.mdx b/docs/administration/roles.mdx
index a5512a0cd..ce95cded5 100644
--- a/docs/administration/roles.mdx
+++ b/docs/administration/roles.mdx
@@ -38,6 +38,10 @@ Bytebase provides two types of roles:
 
 Organizations can create custom roles with specific permission sets tailored to their needs. Custom roles are defined at the workspace level and can be granted at both workspace and project levels.
 
+<Tip>
+**Granular Permissions:** Bytebase provides granular permissions for sensitive operations like masking policies. For example, instead of generic `bb.policies.create/update/delete` permissions, you can grant specific permissions like `bb.policies.createMaskingExemptionPolicy` or `bb.policies.updateMaskingRulePolicy` to control access to masking exemptions and global masking rules separately.
+</Tip>
+
 ### Granting Roles
 
 Roles are granted through IAM policies at two levels: